Cyber Risk News
US military personnel will have to switch off any devices using GPS functionality if they are deployed in “operational areas” after a new Pentagon memo.
Spokesman Army Col. Robert Manning III told reporters yesterday that GPS use can “potentially create unintended security consequences and increased risk to the joint force and mission” in locations around the world.
“Effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and non-government-issued devices, applications and services while in locations designated as operational areas,” said Manning.
“The rapidly evolving market of devices, applications and services with geolocation capabilities presents a significant risk to the Department of Defense personnel on and off duty, and to our military operations globally.”
The memo from deputy defense secretary, Patrick Shanahan, takes account of the rapid rise in personal fitness apps, smart wearables and other technology used by soldiers in their spare time which could give enemy operatives clues as to their location, routines and numbers.
It’s more than likely to have come after a report last month revealed how popular fitness app Polar Flow could be manipulated to reveal the location and uncover the identities of thousands of military personnel.
That report in turn came just a few months after fitness app Strava was found to be revealing potentially sensitive information about military bases and supply routes via its global heat-map website.
"Our military is operating in a new, hyperconnected world where off-the-shelf products are introducing threats to national security," said Bill Leigher, a retired US Navy rear admiral who’s now director of government cyber solutions at Raytheon.
"For instance, we have seen indications where family Facebook postings have been used to analyze the movement of military units and thus compromised operations. Knowing this, information on a specific service member that was scraped from his or her GPS connected device, paired with social media postings about where they work, what their military occupational specialty is and other like info could be used to generate an intelligence picture that is much more detailed that traditional intelligence sources alone might provide.”
Individual commanders will now be responsible for implementing the policy, with exceptions only allowed after conducting risk assessments.
Mobile banking Trojans ranked as a top security nuisance in the second quarter of 2018, including threats from a new cyber-espionage group, “Operation Parliament," which is reportedly targeting high-profile companies the Middle East and North Africa, especially Palestine, according to researchers at Kaspersky Lab.
Kaspersky Lab has published its Q2 IT Threat Evolution Report, and mobile banking Trojans topped the list of cyber headaches in Q2 2018, reaching an all-time high of more than 61,000 installation packages for mobile banking. Those numbers represent more than a threefold growth over Q1 2018. Out of all malware, US users were most often attacked with mobile banking malware in Q2.
By imitating other attack groups, Operation Parliament has remained somewhat under the radar, taking care to verify victim devices prior to infecting them. “The attacks, which started early in 2017, target parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others,” Kaspersky Lab researchers wrote in today’s post.
Another operation, ZooPark, has also targeted the Middle East with several variations of malware specifically aimed at Android devices using two distribution vectors: telegram channels and watering holes. In the latest version, researchers noted a more complex spyware, suggesting that it may have been purchased from a surveillance tools vendor.
The report also noted the continued use of VPNFilter, malware used to infect different brands of routers, in addition to an ongoing campaign in Central Asia attributed to Chinese-speaking threat actor LuckyMouse. Additionally, the continued tracking of Olympic Destroyer revealed that it has started a new campaign.
“Our telemetry, and the characteristics of the spear-phishing documents we have analyzed, indicate that the attackers behind Olympic Destroyer are now targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine,” researchers wrote.
Last month’s cyber-attack on SingHealth, which resulted in the breach of 1.5 million health records, might have been the work of an advanced persistent threat group, according to information disclosed by S. Iswaran, Singapore’s minister for communications and information in Parliament today.
Though reluctant to provide any specifics about which state might be behind the attack, Iswaran said that the detailed analysis of the attack, done by the Cyber Security Agency (CSA) of Singapore, indicated that it was likely a state-linked group because of the level of sophistication used by the attackers.
According to a 20 July press release, "CSA has ascertained that the cyber-attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration."
When pressed to attribute the attack to a specific state, Iswaran reportedly said,“In this sort of matter, while one can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility, and this is the kind of evidentiary threshold that may not stand up in a court of law. But at the operational level, the agencies that are involved have a high level of confidence,” according to Today Online.
Some of the tools reportedly used to compromise SingHealth included “customized malware that was able to evade SignHealth’s anti-virius software and security tools,” Iswaran told the Associate Press.
Among the millions of records compromised during the attack, which occurred between 27 June and 4 July 2018, were the health records of Singapore’s Prime Minister Lee Hsien Loong. The attack was made public on 20 July, at which point the government established a Committee of Inquiry (COI) to investigate the attack and determine the events leading up to the attack.
In reference to what has been called Singapore’s worst ever data breach, Iswaran told the AP, "Ensuring cybersecurity is a ceaseless battle, like our battle against terrorism. It involves changing technology and sophisticated perpetrators who are constantly developing new techniques and probing for fresh weaknesses.”
ICBA Bancard Inc. subsidiary TCM Bank, a company that aids community banks in issuing credit cards to their customers, announced that the personal data of thousands of people who applied for credit cards with their local banks was exposed, according to Brian Krebs.
The information that was leaked between early March and mid-July 2018 included the names, addresses, dates of birth and Social Security numbers of thousands of people across the more than 750 community banks that work with TCM Bank. The leak was reportedly discovered on 16 July, then fixed the following day. TCM told KrebsonSecurity that the leak was from one of the third-party vendors that manages its website.
As a network of community banks, TCM Bank handles documents filled with personally identifiable information (PII), including credit card applications. In this instance, misconfiguration – a critical application-security risk – resulted in the a leak of customer information.
“Vulnerabilities and misconfigurations in websites are incredibly common, even among highly regulated financial services companies. Many businesses, across all industries, are still unaware of online business risks or have delayed taking appropriate action,” said Jessica Marie, cybersecurity evangelist at WhiteHat Security.
That the receiving organization is duty bound to protect the data customers share with it is a stance that policymakers have taken, as seen in regulations such as GDPR and New York Department of Financial Service's cybersecurity requirements. Increasingly, organizations are being held responsible for the security of their third parties, said Matan Or-El, CEO and co-founder of Panorays.
“When partnering with third parties, organizations cannot relieve themselves from the responsibility of security. In the eyes of the affected consumers, they provided the data to the organization and they hold that organization responsible.”
A potential result of a data breach for any organization is damage to brand and reputation, which is ironically what these community banks were trying to build by offering bank-branded credit card options to their customers.
“Trust is one of the most important elements in the relationship between banks and consumers. Customers trust their banks with the most sensitive of data, and any sort of breach can do real and lasting damage to the bank’s reputation in the eyes of consumers,” said Fred Kneip, CEO, CyberGRX.
“When an enterprise engages with a third party such as TCM Bank, they become responsible for that third party’s security controls. If there are easy-to-exploit vulnerabilities in their network, that becomes a part of your security posture. Companies need to understand that their third parties’ security controls are constantly vulnerable to new exploits or configuration changes, which creates a need to monitor and mitigate these risks as they arise.”
The FBI has been forced to post a public service announcement warning of the dangers of unprotected IoT devices.
In another sign of the growing threat posed by compromised smart devices, the update late last week claimed that attackers are using them as proxies to maintain anonymity and obfuscate network traffic.
Doing so enables them to engage in click fraud, trade illegal goods, send spam emails, and mask their internet browsing. IoT devices can also be conscripted into botnets which can be rented out, sold or used directly for credential stuffing and other attacks, the alert claimed.
The FBI warned of several warning signs that users’ smart devices may have been taken over: a major spike in monthly internet usage, high ISP bills, slow or inoperable devices, unusual outgoing DNS queries and traffic and slow internet connections.
Everything from routers and NAS devices to DVRs, Raspberry Pis, and even smart garage door openers could be at risk.
“Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic,” the notice continued.
“Cyber actors typically compromise devices with weak authentication, unpatched firmware or other software vulnerabilities, or employ brute force attacks on devices with default usernames and passwords.”
The risks posed by insecure consumer IoT devices have long been known — ever since the Mirai botnet DDoS-ed a string of big-name sites back in 2016. But with an estimated 20.4 billion connected 'things' in operation by 2020, the threat continues to rise.
That’s why the British Standards Institution launched a kitemark initiative earlier this year, in a bid to improve the baseline security of products by helping buyers to better identify smart devices they can trust to be reliable and secure.
In the meantime, the FBI urged users to reboot devices regularly, change default log-ins, use AV, ensure they’re up-to-date with patches, and isolate IoT devices from other network connections.
Privacy International has written to the investigatory powers commissioner (IPC) requesting an urgent review into potentially unlawful use by the UK police of mobile phone extraction (MPE) technology.
Created by the controversial Investigatory Powers Act 2016, the role of IPC is to provide oversight of the intelligence services and police.
The rights group wants the IPC lord justice Fulford to investigate whether there’s a proper legal basis for the police to be using MPE tech and whether it’s “necessary and proportionate” to do so given its intrusive nature.
"We are concerned that the police are able to download all of the contents of people's phone, when no one seems to be sure whether there is a law or statute that says they can do this. Policing isn't meant to be a free-for-all, where they can make up their own rules as they go along,” argued Privacy International solicitor Millie Graham Wood.
“We are really worried that the police's use of this highly intrusive technology is growing at an alarming rate, without any proper scrutiny, and crucially without people knowing their rights when faced with a police officer who wants to search their phone.”
The move follows the release of the group’s Digital Stop and Search report in March which collected FoI responses from 47 police forces, over half (55%) of which admitted they were using MPE tools, with a further 17% trialling the technology.
It revealed confusion over the legal basis for their use, stemming from a lack of guidance at a national and regional level.
Data is often extracted from devices without the user’s knowledge, stored insecurely and for an indefinite period, and taken not just from suspects but also victims and witnesses, even for investigations of low-level crimes, the report claimed.
“Having issued a complaint to the information commissioner, raising potential breaches of data protection legislation, we have now contacted Sir Adrian Fulford, the investigatory powers commissioner, to ask him to consider whether the way mobile phone extraction technology has been used by the police constitutes intrusive surveillance such that it should fall within his remit,” concluded Graham Wood.
“If the use of mobile phone extraction technologies constitute either interception or hacking, then this raises a fundamental issue as to the legality of the actions by a large number of police forces over a lengthy period of time."
Taiwanese semiconductor firm TSMC has revealed that a malware outbreak which affected its IT systems last week could result in a 3% hit to revenue.
The iPhone chipmaker said in an update on Sunday that the virus “affected a number of computer systems and fab tools” on Friday evening local time, but that it was believed there would be no lasting damage.
“The degree of infection varied by fab. TSMC contained the problem and found a solution. As of 14:00 Taiwan time, about 80% of the company’s impacted tools have been recovered, and the Company expects full recovery on August 6,” it said.
“TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about 3%, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018.”
The world’s largest dedicated semiconductor foundry said that neither data integrity nor confidential information were compromised by the incident.
“This virus outbreak occurred due to mis-operation during the software installation process for a new tool, which caused a virus to spread once the tool was connected to the Company’s computer network,” it explained.
“TSMC has taken actions to close this security gap and further strengthen security measures.”
The incident comes at a bad time for the firm as it looks to ramp up production for the second half of the year in preparation for some big-name autumn product launches. Aside from Apple, clients include the likes of Qualcomm, Nvidia and AMD.
TSMC said it was is working closely with these customers on their wafer delivery schedule.
A national nonprofit organization, SecureSet Foundation, created by SecureSet Academy, aims to increase diversity in the cybersecurity workforce by offering financial assistance, according to a press release from SecureSet Academy.
The creation of the SecureSet Foundation will enable individuals to enhance and build their professional skills in the field of cybersecurity, which will also help to fill the talent pipeline. Formed in response to employers that have been collaborating with SecureSet, the foundation’s goal is to help meet immediate concerns over the lack of diversity in the global cybersecurity field.
“According to a report from Frost & Sullivan, women comprise a mere 11 percent of the cybersecurity workforce and globally men are four times more likely to hold C- and executive-level positions and nine times more likely to hold managerial positions than women,” the press release stated. “Data from the latest (ISC)2 report shows the disparity in representation is mirrored across cybersecurity professionals who identify as a racial or ethnic minorities.”
Industry leaders have long understood the need to develop nontraditional recruitment methods that will attract candidates with a variety of nontechnical skills who are capable of complex problem-solving. As is often the case with cybersecurity recruiting efforts, military veterans and women make attractive candidates for the foundation as well.
The SecureSet Foundation hopes to narrow the gap between talented candidates and job applicants by delivering cybersecurity education while defraying the financial burden for those candidates who are interested in transitioning to or entering into the cybersecurity field.
“As it stands, the cybersecurity industry is in dire need of fresh faces and new perspectives, particularly at a time when the job market already has a negative unemployment rate,” said Brad Davis, executive director of SecureSet Foundation. “Reaching new, previously untapped individuals and providing them with the skills and education to become part of the cybersecurity workforce is a critical piece of addressing the shortage of qualified professionals in this field.”
“A lack of diversity is a critical problem for any industry and is particularly acute when it comes to cybersecurity,” said Bret Fund, CEO and founder of SecureSet. “By promoting a more diverse population of cybersecurity professionals and offering grants to underserved populations, we can tackle new threats with the best combination of creative, and technologically savvy, minds possible from a wide array of backgrounds and experiences.”
A newly discovered adversarial group has been targeting operations in electrical utilities in the US, according to Dragos. The activity group, dubbed RASPITE, has reportedly been active in some capacity since early to mid-2017.
Dragos has confirmed that RASPITE is now targeting ICS, specifically electric utilities in the US, Europe, Middle East and East Asia. While researchers have confirmed that this new group is targeting electric utilities, there is no current indication the group has the capability of destructive ICS attacks, including widespread blackouts like those in Ukraine.
Detailed in a blog post, analysis of the group’s activity revealed that the group currently focuses on initial access operations within the electrical utility sector. They gain access to their target networks by leveraging strategic website compromise. RASPITE also maps to LeafMiner, a group that Symantec recently reported on in the Middle East.
“RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials,” the blog post stated. Deploying install scripts grants them remote access to the victim machine via a malicious service that beacons back to RASPITE-controlled infrastructure.
“Dragos caught RASPITE early in its maturity, which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques, which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” said Sergio Caltagirone, director of threat intelligence, Dragos.
"At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups. Although Dragos does not conduct country-specific attribution of industrial control threats, generally threats focused on industrial control are state sponsored due to the inherent risk, limited financial gain and potential blow back from the operations.”
Following Trump’s meeting last week with the National Security Council, national security adviser, John Bolton, has actively taken to the pen and the podium, announcing what steps the current administration has taken to advance election security and defend against cyber-attacks on critical infrastructure.
In a 2 August letter responding to the letter he received from five senators critical of Trump's response to Russia, Bolton expressed his pleasure at having the chance to explain the “extensive, historic actions the Trump Administration has already taken to ensure the integrity of our elections and to defend against foreign malign influence.”
Referring to Trump’s efforts as unprecedented, Bolton went on to write that the actions Trump has taken, which include sanctions, the closure of Russian consulates and banning the use of Kaspersky Lab software because of its ties with Russian intelligence, “will also deter Russia and other adversaries from attempting to disrupt American elections.”
Then at yesterday’s White House press conference Bolton tried to impress upon the fact that members of the administration meet frequently to discuss cybersecurity, particularly as it pertains to election security. Bolton said, "In my tenure as National Security Advisor – less than two months – we've already had two full National Security Council meetings chaired by the President and, as I say, countless other discussions as well."
“Since January 2017, the President has taken decisive action to defend our election systems from meddling and interference,” he continued.
His affirmation reiterated the words of Vice President Mike Pence, who said at the Department of Homeland Security Cybersecurity Summit in New York City, “We’ve already done more than any administration in history to protect the ballot box, and we’ve barely just begun."
Bolton went on to explain that Trump’s decisive actions include “measures to heighten the security and resilience of election systems and processes, to confront Russian and other foreign malign influence in the United States, to confront such aggression through international action and to reinforce a strong sanctions regime.”
Many of the actions remain classified so as not to publicly disclose information that could potentially benefit adversaries, though the administration has offered to share that classified information with Congress.
The UK government has pledged £100m to drive digital transformation in the police force, helping it tackle cybercrime and improve its controversial use of biometrics.
The home secretary has already approved £70m of the Police Transformation Fund allocation to four projects.
A National Enabling Programme will create a unified IT system across police forces to “deliver more joined-up working within and between forces,” while a Digital Policing Portfolio aims to create an online hub where members of the public can report low-level incidents, rather than at their local station.
However, the Specialist Capabilities Programme has the biggest impact in the cyber-policing sphere, aiming to improve resource-sharing between forces.
“In cybercrime, for example, the program seeks to ensure forces can tackle digitally-dependent crime, with oversight provided through regional organized crime units (ROCUs),” the government claimed.
The idea throughout is that these initiatives drive efficiencies and cash savings, freeing up police to focus on frontline tasks rather than being saddled with back-office bureaucracy.
Perhaps the most controversial area to receive funding is biometrics. A Transforming Forensics program is designed to “improve how biometric services and digital forensics are used, including the development of a 24/7, faster, fingerprint identification service.”
It’s an area in which the police in the UK have so far consistently failed.
A Big Brother Watch report from May called on the police to abandon its “dangerous and inaccurate” facial recognition technology after FoI responses from three forces revealed a false positive rate of 98%, despite an investment of millions of pounds of taxpayer funds.
The wider investment in IT for the police force is to be welcomed, although there’s still a concerning dearth of officers trained in cyber-skills, according to several reports.
Most recently thinktank Reform called on the government to create a digital academy to train specialist cyber police officers, and increase the number of volunteers with these skills.
It recommended a new digital academy capable of graduating 1700 officers and staff each year, and an increase in the current 40 volunteers with cyber-skills to 12,000.
Facebook’s outspoken CSO Alex Stamos has announced he has accepted a role at Stanford University and will leave the firm later this month.
The former Yahoo CSO’s last day at the social network will be August 17, and he will join the university as full-time teacher and researcher from September.
“I have had the pleasure of lecturing at Stanford for several years, and now I will have the honor of guiding new generations of students as an adjunct professor at the Freeman-Spogli Institute for International Studies,” he explained in a Facebook update.
“This fall, I am very excited to launch a course teaching hands-on offensive and defensive techniques and to contribute to the new cybersecurity master's specialty at FSI. I am also looking forward to other opportunities to contribute to Stanford's focus on ethically designing and implementing new technologies.”
It had been reported that Stamos fell out with his superiors after advocating a more transparent line on Russian manipulation of the site ahead of the 2016 US election.
While at Yahoo, Stamos also clashed with NSA boss Mike Rogers on government requests that tech firms effectively build crypto-backdoors into their products. He resigned from his role at the internet pioneer after reportedly finding out Yahoo had built scanning software to comply with classified government demands for customer data.
There will be question marks over his successor at Facebook. Whoever takes the role will have a major task continuing to build trust in the company.
Just this week the social network took some early steps on that journey by announcing the shut down of a handful of fake accounts and pages linked to the infamous Russian Internet Research Agency (IRA), blamed for much of the pre-2016 election interference on social media.
So far there’s no word on who will step into Stamos’ shoes but Facebook will want to avoid the kind of three-month gap that preceded his arrival at such a crucial juncture for the firm, if nothing else to reassure investors of its commitment to improving security.
The government is relying on a “skeleton staff” of security analysts to root out and respond to online threats, according to a new FoI request.
SIEM specialist Huntsman Security wanted to find out the level of preparedness within government to tackle serious cyber-attacks. The National Cyber Security Centre (NCSC) claimed in April to have responded to more than 800 “significant incidents” since October 2016.
Unfortunately, the FoI requests revealed that many agencies appear under-resourced. The Scottish Prison Service and Scottish Public Pensions Agency said they have no full-time security analysts, while the Northern Ireland Assembly has just two.
Several other departments reported no increase in staff numbers over the past few years.
Huntsman Security argued that the lack of skilled analysts on the frontline could expose the government to the risk of successful attacks or employee burn out.
“As organizations come under great cyber-pressure from adversaries and their analysts become more and more stretched, the risk of a spiraling increase of successful attacks is likely,” said Piers Wilson, head of product management. “The consequences of a successful breach of government and other organizations are severe so they need to limit any likely deficiencies in their cybersecurity protection by better supporting the analysts that protect them.”
However, he acknowledged that skills shortages are a global problem, with predictions of a shortfall in skilled professionals of 1.8 million by 2022.
Government departments must invest now in managed services and machine learning/automation to relieve these skills gaps, as the cost of dealing with a serious attack is likely to exceed any initial outlay now, the firm argued.
The news comes at a time of heightened pressure on the UK’s critical infrastructure and government networks, as state-sponsored actors — particularly from Russia — step up their efforts to disrupt and eavesdrop.
The vast majority of small to medium-sized businesses (SMBs) rank security as their top priority, though less than a third of those organizations have a dedicated IT security professional on staff, according to 2018 SMB IT Security Report, released today by Untangle.
More than 350 SMBs worldwide participated in the survey, which attempted to gauge their state of IT security by looking at trends in budget and resource constraints, breaches, IT infrastructure, cloud adoption and the general state of IT. The report found that SMBs continue to struggle when it comes to deploying IT security solutions, largely because of tight security budgets and a lack of expert staff. With more companies planning to implement SD-WAN solutions, increasing reliance on cloud infrastructure is a growing concern for network security.
Additionally, the report revealed that 75% of SMBs have fewer than five physical locations and 60% of those businesses have fewer than 100 end-user devices; however, 34% of all respondents said they do not have BYOD policy. While almost 80% of respondents ranked security as very important to the business, more than half of them are spending less than $5,000 per year for IT security. Of those, half are spending less than $1,000 per year.
Less than 30% of businesses have at least one dedicated IT security professional, and more than 50% of businesses said that they distribute IT security responsibilities across other roles. Budget constraints are the biggest obstacle in advancing the IT security for 47% of survey respondents, while 37% said that they have limited time to research and understand new threats. Another 34% said the skills gap is a problem because they lack the manpower to monitor and manage security (multiple responses allowed).
“SMBs have less expertise and fewer dollars to dedicate to IT security, but they are the primary target of a growing number of phishing and malware threats, particularly as they move towards more cloud-based tools,” Scott Devens, CEO at Untangle, said in a press release. “This report confirms that SMBs are in dire need of easy-to-deploy, intuitive solutions to protect their networks that don’t require hiring additional personnel or time-intensive commitments from existing staff.”
The deal will purportedly see Cisco pay $2.35bn in cash and assumed equity awards for Duo Security’s outstanding shares, warrants and equity incentives on a fully-diluted basis.
Duo Security, headquartered in Michigan, provides unified access security and multi-factor authentication through the cloud, offering zero-trust authentication and access products.
“In today’s multicloud world, the modern workforce is connecting to critical business applications both on- and off-premise,” said David Goeckeler, executive vice-president and general manager of Cisco’s networking and security business.
“IT teams are responsible for protecting hundreds of different perimeters that span anywhere a user makes an access decision. Duo’s zero-trust authentication and access products integrated with our network, device and cloud security platforms will enable our customers to address the complexity and challenges that stem from multi-and hybrid-cloud environments.”
The deal is expected to be completed at some point during Q1 of Cisco’s fiscal year 2019, with Duo Security, which will continue to be led by Song, joining Cisco’s Networking and Security business led by Goeckeler.
“Our partnership is the product of the rapid evolution of the IT landscape alongside a modernizing workforce, which has completely changed how organizations must think about security,” said Dug Song, Duo Security’s co-founder and chief executive officer. “Cisco created the modern IT infrastructure, and together we will rapidly accelerate our mission of securing access for all users, with any device, connecting to any application, on any network.”
Members of the cybercrime gang FIN7, also known as Carbanak and JokerStash and suspected of targeting more than 100 organizations in the US and others around the globe, were arrested by the Department of Justice (DOJ) on Wednesday 1 August 2018.
Ukrainian nationals Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kolpakov, 30, are in custody, charged with 26 felony counts of alleged conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. The charges were filed in Seattle’s US District Court, according to news from the DOJ. As early as 2015, the crime gang has engaged in a malware campaign targeting hundreds of companies, including Chipotle Mexican Grill, Chili’s and Arby’s.
“FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations,” the DOJ wrote.
The arrest of these malicious actors responsible for prolific financial theft on an immense scale is good news to the industry experts at Kaspersky Lab, who have long been tracking the Carbanak threat. In 2014, Kaspersky researchers observed that Carbanak was the first to apply highly sophisticated tools to common financial crime, techniques and processes normally associated with nation-state backed threat actors.
“Following the publication of our findings, the gang did not disband and disappear as many others do; it stayed and in fact extended its activities,” Kaspersky Lab wrote in an email. “Our research shows that, over time, Carbanak turned into an umbrella for a range of cyber-criminal activities all sharing the same purpose of illicit financial gain. We believe that the kind of active international cooperation that led to these arrests is the key to catching and stopping the most sophisticated cyber-threats.”
The arrest of the Ukranian nationals tied to the FIN7 cybercrime group is significant, said Illumio's head of cybersecurity strategy, Jonathan Reiber. “It shows how hard work and international law enforcement cooperation leads to real results. German, Polish, and Spanish law enforcement agencies worked together to bring these criminals to justice. Cyber-space may be comprised of darknets and bits and bytes, but leadership, detective work and alliance cooperation are what bring down criminal organizations.”
Amnesty International found hackers attempting to infect one of its researcher's phones with a tool from Israel-based NSO Group, long known as makers of spyware, the NGO reported.
Amnesty International’s tech team launched an investigation after one of its staff members received a suspicious WhatsApp message in Arabic, which detailed information about a protest at Washington D.C.’s Saudi embassy. The message included a malicious link for further details. Because the NSO Group spyware is mainly sold to government agencies, Amnesty International believes that it was targeted by a hostile government that takes issue with its work.
“The potent state hacking tools manufactured by NSO Group allow for an extraordinarily invasive form of surveillance,” said Joshua Franco, Amnesty International’s head of technology and human rights. “A smartphone infected with Pegasus is essentially controlled by the attacker – it can relay phone calls, photos, messages and more directly to the operator. This chilling attack on Amnesty International highlights the grave risk posed to activists around the world by this kind of surveillance technology.”
Had the victim clicked, they would have installed the highly sophisticated Pegasus surveillance tool. “Pegasus (the NSO spyware) almost found itself in the wild after one of its workers decided to try and sell it on the dark web,” said Koby Kilimnik, security researcher at Imperva, “but there isn’t a good way to prevent such hacking tools from falling into the wrong hands.”
NSO Group reportedly told Amnesty International that its spyware is intended to be used as an investigative tool to prevent crime and terrorism and that any other use is a violation of its acceptable use policy. “While malware from firms such as the NSO Group can, and apparently has, been used to spy on human rights activists and others, the code itself is unbiased and has no agenda,” said Lee Munson, security researcher at Comparitech.
“For that reason and given the fact that its intended target was supposedly terrorists, it is very hard indeed to legislate against it. Additionally, malware propagates so quickly and in so many unusual ways that it is hard to block it completely," Munson continued.
“Whether or not governments should be dabbling in such surveillance code is an interesting question and the answer is not easy to come by – balancing privacy against security is a problem politicians will be fighting over for decades to come.”